{ pkgs, ... }@all: with all; {
  environment.etc = {
    "ssl/certs/tuda-eduroam-root.crt".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2:1.crt";
  };
  sops.secrets = {
    "eduroam/tuda_nmconnection" = {
      mode = "0600";
      owner = "root";
      path = "/etc/NetworkManager/system-connections/eduroam.nmconnection";
    };
  };
  environment.systemPackages = with pkgs; [
    openconnect
    networkmanager-openconnect
  ];
  networking.networkmanager = {
    plugins = with pkgs; [ networkmanager-openconnect ];
    ensureProfiles.profiles = {
      "tuda-vpn" = {
        connection = {
          autoconnect = "false";
          id = "tuda-vpn";
          type = "vpn";
        };
        ipv4.method = "auto";
        ipv6 = {
          addr-gen-mode = "stable-privacy";
          method = "auto";
        };
        vpn = {
          authtype = "password";
          autoconnect-flags = "0";
          certsigs-flags = "0";
          cookie-flags = "2";
          disable_udp = "no";
          enable_csd_trojan = "no";
          gateway = "vpn.hrz.tu-darmstadt.de";
          gateway-flags = "2";
          gwcert-flags = "2";
          lasthost-flags = "0";
          pem_passphrase_fsid = "no";
          prevent_invalid_cert = "no";
          protocol = "anyconnect";
          resolve-flags = "2";
          service-type = "org.freedesktop.NetworkManager.openconnect";
          stoken_source = "disabled";
          xmlconfig-flags = "0";
          password-flags = 0;
        };
      };
    };
  };
}